KMIP-interop-tech

 View Only
  • 1.  RE: [kmip-interop-tech] Key wrapping use case

    Posted 06-09-2011 15:41
    And is it okay for the server – if it has a policy that requires key wrapping for certain keys – to return the requested key wrapped when the client omits the Key Wrapping Specification from the Get request? Or would/should the server reject such a request?   John   From: Mathias Bjoerkqvist1 [mailto:MBJ@zurich.ibm.com] Sent: Friday, 10 June 2011 1:30 AM To: Pochuev,Denis Cc: kmip-interop-tech@lists.oasis-open.org Subject: [kmip-interop-tech] Key wrapping use case   Hi Denis, To retrieve a key wrapped (encrypted and/or MAC/Signed), the Key Wrapping Key Specification must be specified in the Get request. However, the Cryptographic Parameters may be omitted from the Key Wrapping Specification, in which case the Cryptographic Parameters attribute instance with the lowest index value for the Encryption Key and/or MAC/Signature key is used. For the proposed key wrapping use case, the Get response would look the same even if the Cryptographic Parameters were omitted from the Key Wrapping Specification in the Get request. If the whole Key Wrapping Specification is omitted from the Get request, then the key that is retrieved will be in cleartext and unwrapped. I can add another Get to the use case to make this clear. For this and possible future key wrapping use cases, I would suggest also adding a reference to Section 3.21 in the Usage Guide which addresses key wrapping. Thanks, Mathias


  • 2.  RE: [kmip-interop-tech] Key wrapping use case

    Posted 06-09-2011 16:07
    "John Leiseboer" <jleiseboer@bigpond.com> wrote on 09.06.2011 17:40:45: > And is it okay for the server – if it has a policy that requires key > wrapping for certain keys – to return the requested key wrapped when > the client omits the Key Wrapping Specification from the Get > request? Or would/should the server reject such a request? >   Actually, I'm not sure about that. I couldn't find any text on this in the specification. The Usage Guide has much more on key wrapping, but I it didn't seem to address this issue either. So for v1.0, I would say that you could interpret the spec in a way that allows the server to return the key wrapped, even if the client did not ask for this. I don't think this was intended, and I think this needs to be clarified. Tim wrote: > How do you register a wrapped key that never has a plaintext version of it > available? What does GET do for that? > IIRC, you have to specify the Unique Identifier of the wrapping key when you register a wrapped key. That Unique Identifier should existing on the server, but maybe it doesn't have to? I'd have to look that up. However, the key that the Unique Identifier points to may have been registered without the key material. If you then tried to get the key unwrapped, the server would not be able to unwrap it and would return a PERMISSION_DENIED (?) error. Another issue is that there is no way for the client to find out which key(s) it should ask to get the key wrapped with after it has registered it. If a server could return the key wrapped even when not requested to be wrapped by the client, then would we also need a new option to explicitly ask for the key unwrapped (wrapped might be the default server policy for a specific key, but unwrapped might still be allow if explicitly asked for)? Regards, Mathias


  • 3.  RE: [kmip-interop-tech] Key wrapping use case

    Posted 06-09-2011 16:19
    Tim’s use case is addressed in the Usage Guide (3.21.5). You can register the wrapped key as an opaque cryptographic object. In this case, the key format type is opaque and not the object type.   Regarding John’s question, we don’t address this case in the KMIP documentation. If the key should never be exported in plaintext, it should really be stored as an opaque object.   -Indra   From: Mathias Bjoerkqvist1 [mailto:MBJ@zurich.ibm.com] Sent: Thursday, June 09, 2011 9:06 AM To: jl@quintessencelabs.com Cc: kmip-interop-tech@lists.oasis-open.org Subject: RE: [kmip-interop-tech] Key wrapping use case   "John Leiseboer" <jleiseboer@bigpond.com> wrote on 09.06.2011 17:40:45: > And is it okay for the server – if it has a policy that requires key > wrapping for certain keys – to return the requested key wrapped when > the client omits the Key Wrapping Specification from the Get > request? Or would/should the server reject such a request? >   Actually, I'm not sure about that. I couldn't find any text on this in the specification. The Usage Guide has much more on key wrapping, but I it didn't seem to address this issue either. So for v1.0, I would say that you could interpret the spec in a way that allows the server to return the key wrapped, even if the client did not ask for this. I don't think this was intended, and I think this needs to be clarified. Tim wrote: > How do you register a wrapped key that never has a plaintext version of it > available? What does GET do for that? > IIRC, you have to specify the Unique Identifier of the wrapping key when you register a wrapped key. That Unique Identifier should existing on the server, but maybe it doesn't have to? I'd have to look that up. However, the key that the Unique Identifier points to may have been registered without the key material. If you then tried to get the key unwrapped, the server would not be able to unwrap it and would return a PERMISSION_DENIED (?) error. Another issue is that there is no way for the client to find out which key(s) it should ask to get the key wrapped with after it has registered it. If a server could return the key wrapped even when not requested to be wrapped by the client, then would we also need a new option to explicitly ask for the key unwrapped (wrapped might be the default server policy for a specific key, but unwrapped might still be allow if explicitly asked for)? Regards, Mathias